OpenIDM OpenDJ Integration Best practice

This topic has 3 replies, 2 voices, and was last updated 6 years, 12 months ago by ssripathy.

  • Author
    Posts
  • #5691
     vasudevanms
    Participant

    Hi All,
    We have just started exploring using the OpenXX suite of services to enable our AuthZ and AuthN solution. At the moment though we are considering using only OpenAM and OpenDJ wherein OpenAM will be our Policy evaluation Engine and OpenDJ our data repository. I noticed that the REST API for OpenAM exposes some API’s to create and manage identities. How is this different from OpenIDM provisioning? The OpenAM documentation clearly states that OpenIDM is the recommended way to provision users. In which specific scenarios will I use OpenAM Identity CRUD API?

    Thanks in advance
    Vasu

    #5704
     ssripathy
    Participant

    Hi Vasu,
    This could make for a lengthy discussion, but for the sake of brevity here are my 2 cents.
    First of all, OpenIDM CRUD API would provision to its own database backend repo (ex: Oracle, MySQL etc). After which you would need to sync to OpenDJ based on your requirements. OpenAM/OpenDJ should be used for authN/authZ and so ideally a user profile in OpenDJ should store attrs pertinent to that functionality. CRUD API in OpenAM lacks flexibility available in OpenIDM, Plus in OpenIDM provisioning use cases, you can implement RBAC and fields that afffect sync to targets other than DJ such as AD, Google etc.
    Not knowing your use cases and if its merely a pilot for some demo, using OpenAM CRUD API would be just fine to demonstrate some basic functionality. It would be best to use products based on their individual strengths, and for that the documentation can reveal to you what that would be.
    Good luck!
    -sridhar

    #5716
     vasudevanms
    Participant

    Sridhar,
    Thanks for sharing your insight on this. Appreciate that. Very broadly our use case involves multiple tenants who may share a single identity repository and also possibly the same Realm. To mimic RBAC we are simply creating LDAP groups with specific privileges associated with each group. Membership to a Group would equate to a grant/deny access to certain resources. Also in our case our identity repository is not expected to integrate with external identity repos. I can see a clear use case in such cases ( external identity repos) where OpenIDM would make perfect sense. But in our case I am on the fence. Thoughts?

    Vasu

    #5718
     ssripathy
    Participant

    Vasu,
    So, with a provisioning product like OpenIDM you have the flexibility to write your own custom endpoints if in the future your delegated administration requirements change or become more complex. Plus you have the flexibility to build workflows and a UI of your choice. Reporting and role based features are going to get better in the next version.

    The choice of just sticking with OpenAM/OpenDJ in this case may seem fine in the short term, but for any complexity not provided by that CRUD API in AM would need cracking open the OpenAM WAR and tinkering to make it do what you need it to do. The other choice would be that you may need to build your UI client and then make REST calls to OpenAM and REST/LDAP calls to OpenDJ to fulfill your requirements. Either case, it depends on your situation i.e immediate vs long term needs.
    -sridhar

Viewing 4 posts - 1 through 4 (of 4 total)

You must be logged in to reply to this topic.

©2022 ForgeRock - we provide an identity and access platform to secure every online relationship for the enterprise market, educational sector and even entire countries. Click to view our privacy policy and terms of use.

Log in with your credentials

Forgot your details?